Network Issue / VPN Client related issue

Katewadi
Katewadi used Ask the Experts™
on
We have a Juniper Netscreen SSG 140 that is connected to our ISP connection.  We are using the recommended Juniper VPN client for Windows XP / Vista (it does not work on Windows 7 yet). Our offsite users need to access BOTH our Corporate office and our local office. Our remote users could connect to our corporate office via VPN OR they can connect to the local office via VPN. When they connect to the Corporate VPN, it routes the traffic to the local office. I believe the Corporate VPN is able to redirect the traffic to both 10.x (Corporate), and 192.x (US) networks. But, it does not work the other way around. Our local VPN client is not able to route the traffic to the 10.x (Corporate) network.

 When people need access to both the networks, they are forced to come through the Corporate VPN, and that becomes too slow. Life would be lot easier if they could VPN into the local office and from their local VPN, utilize the fixed tunnel to the corporate network.
 We do have a permanent / fixed VPN connection to our Corporate (10.x) network. This is because our Network hardware is already configured for the fixed tunnel. So, when some one is inside our local office -- connected inside the local network – they can reach the corporate network without needing any additional tool. But, when they are remote -- connecting via the VPN – they can’t reach the corporate 10.x network.

 Is this a VPN client problem? OR Do we need something configured differently on our Juniper VPN gateway?

 Is it possible that; the Corporate VPN client is setup to redirect both 192.x and 10.x. But, our local Juniper client is only setup to redirect 192.x and not setup to redirect 10.x…?

 If this is a VPN client issue, can we use a different VPN client (instead of the Juniper client) to get over this issue?

 What would be your advice for a possible solution…?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
It is probably slow because most DSL connections are not the same speed in both directions making it very slow when routing through to the other location.

In terms of client, the Juniper Netscreen Client is very good (in my opinion) in XP. I am using Windows 7 64-bit now and use the NCP Secure Entry Client. It is good, and can navigate through multiple NAT's where the Juniper client sometimes cannot. You might give it a try to see if it helps.
... Thinkpads_User

Author

Commented:
Hello Thinkpads_User,

Thanks for your input...

So, are you suggesting this is a VPN client issue?

Could you please give few more details on what's "NCP Secure Entry Client"...? Is it a different / free client for Windows 7? Where can I get it?

Is this VPN client available for Linux / MAC users as well?

I believe the Juniper client does not work on Windows 7.

Regards,

-Katewadi
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Hello Katewadi - I read through your post but I am not certain it is all a client issue. You may need to get some expertise in the Netscreen box itself to make sure it is properly set up. I have a client with these boxes where I can see the other end from either end so to speak. Speed is affected by the asynchronous nature of DSL, for which the only answer is faster lines. You might look at the MTU on both boxes to make sure it is set to 1492 (or possibly less) where 1500 is default and not suitable to DSL.

Now, on to NCP.  You can find it at www.ncp-e.com and look for Secure Client.  No, it is not free. It works on Windows 7 Pro 64-bit and is one of the few clients that will do that. I am using it. It works on earlier platforms as well so far as I know. It is a windows client, not linux or MAC. And, to your point, I am using it because Juniper doesn't have one.

What I like about it is that it will traverse multiple NAT networking. So right now I am away and hooked up with my USB Internet stick. My IP is a 10.141.x.x address and is buried in the ISP's network. NCP will work through that and connect to my clients with Juniper Netscreen 5GT boxes. The Juniper Netscreen remote client had difficulties with this.

I am not an expert in this, but I hope I have helped with the information I do have.
... Thinkpads_User

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Regarding free VPN client for W7, Linux, Mac (,...) I recommend the ShrewSoft VPN Client (www.shrew.net). It is very versatile, and setup tutorial for both client and VPN device (including SSGs) is provided.
Additionally, this client allows for manual settings of the secured networks (which might be the issue).

What IP addresses are negotiated when using VPN to both offices? It might be a simple routing issue, not at all related to the VPN client.

The most reliable way to find out what happens is to start debugging on SSG with a flow filter. That can only be done on single IP addresses, so you would have to set up debugging on-the-fly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial